SAML -Security Assertion Markup Language

Before moving to SAML, let’s us first talk about what leads to SAML.

We live in a digital era. So, usually we log in to different applications during our day today life. We need to provide credentials for each and every application that we log in. So to make it convenient and effective we use SSO (Single Single On). With that we need a standard procedure or a protocol to communicate between different parties.That is where SAML comes to play.

For an example let’s think about deaf people.

Those people need common set of signals to communicate with each other.Those signs should be understood by each deaf person. If they do not have a common set of signs they can not understand the things that the other is trying to communicate.

Likewise SAML is also a common standard.

But you may ask can’t we use HTTP protocol to do this. No we can’t.We cannot use HTTP cookies to have single a set of credentials to log in to many applications because according to the HTTP protocol cookies cannot be shared between multiple domains.

It is an open standard which is a XML based framework for authentication and authorization between two parties(Service providers and Identity providers).

Simply authentication and authorization data are shared using SAML format.

Authentication is done through digitally signed XML document. With SAML we do not need to worry about typing credentials or remembering and resetting passwords. Latest SAML version is SAML 2.0. SAML has lots of supportive and interoperability specifications.

Now we will dig more to SAML.

We use SAML in Single Sign on. We have three participants in SSO.

• User
• Service Provider
• Identity Provider

1. User request a service from service provider
2. Service provider requests a user identity from a Identity provider.
3. End user credentials are authenticated with the IdP. Then sends the SAML response assertion to the SP.
4. SP obtains the SAML response and assertion, authorized the user.

• Service Provider initiated login (SP initiated login)
• Identity Provider initiated login (IdP initiated login)

Service Provider initiated login

There are two use cases in SAML login.

Identity Provider initiated SSO

When the service provider initiates or begins the process of web SSO, we call it SP initiated login.

When the identity provider initiate or begin the process of web SSO, we call it as IdP initiated login.

With the SSO users sign in to different applications with a single user credentials. But with the SSO users unknowingly leave applications awake. Users do not manually sign in to all the applications. When they sign in using SSO, different sessions unaware to the user may get opened. But users do not sign out from all the sessions. These logout sessions which are left awake are called orphaned logins. This can lead to session hacking.

To overcome the above problem Single Log Out was introduced. SAML is one of the most popular protocols that can be used for SLO process.

Service Provider initiated SLO

1. User hits the logout in web browser.
2. Service provider creates a digitally signed SAML logout request and send to IdP.
3. IdP identified all the SSO sessions for the user and generates SLO for each other service providers (SP2 and SP3).
4. Logout responses are sent to IdP by SPs.
5. IdP terminates the session and send logout response to the SP1

Identity Provider initiated SLO

1. User clicks on the logout link on the IdP page. It calls to the IdP logout end point.
2. IdP identifies all the SPs associated with that session.
3. IdP creates a digitally signed SAML logout request.
4. Send logout requests to SPs and wait for logout response.
5. Each SP terminate the session with user by validating the logout request with IdP.
6. After all SPs responded with logout response IdP terminates the session.

Similar as the SSO, SLO also have two use cases with the participant who initiate the login out process.

References

https://www.portalguard.com/blog/2016/06/20/saml-single-logout-need-to-know/ https://medium.com/@BoweiHan/elijd-single-sign-on-saml-and-single-logout-624efd5a224 https://medium.com/@swettasinghe23/configuring-saml2-front-channel-logout-on-wso2-identity-server-13ce4cf3dc38 https://spaces.at.internet2.edu/display/InCFederation/Back-channel+SAML+Protocols https://docs.jboss.org/author/display/PLINK/Back-Channel+Single+Logout?_sscc=t

WSO2 documentations

Originally published at https://medium.com on September 27, 2019.